Systems and methods for compression of key sets having multiple keys

ABSTRACT

Systems, methods and modulated data signals are described herein that provide an efficient way to derive a single key from which a user can extract virtually any number of data encryption keys. A database is logically divided into segments and a small prime number is associated with each segment. An encryption key is derived for each segment in the database and a key set is determined for distributing a data subset to a user. Each segment is encrypted with the corresponding encryption key. A single key is derived using the prime numbers associated with the data segments and the single key, the encrypted database, and a small amount of public information is provided to the user. The user utilizes this information to extract the encryption key set from the single key. One implementation utilizes a tree structure to significantly reduce the number of modular exponentiations that must be calculated when extracting the encryption keys. This, in turn, dramatically decreases the processing overhead that must be allocated to the processing associated with deriving the encryption keys.

RELATED APPLICATIONS

This application stems from and claims priority to U.S. ProvisionalApplication Ser. No. 60/149,107, filed on Aug. 13, 1999, the disclosureof which is incorporated by reference herein. This application is acontinuation of U.S. patent application Ser. No. 09/638,041, filed Aug.12, 2000, the disclosure of which is incorporated by reference herein.

TECHNICAL FIELD

The systems and methods described herein relate to compression,distribution and decompression of cryptographic keys. More particularly,the described implementations relate to compression, distribution anddecompression of key sets having multiple cryptographic keys.

BACKGROUND

There are systems in which it is desirable to distribute a largedatabase or other information set to multiple users, each user to haveaccess to different subsets of the data. Besides databases, such systemsinclude pay-per-view broadcasts in which each customer has purchasedviewing rights to a different set of programs, in-flight entertainmentsystems, and fingerprinting methodologies wherein multiple copies ofeach content clip are produced and each recipient is given access toexactly one of the copies of each clip.

One method to enable each user to access the data to which the user isentitled is to separately encrypt each datum and distribute to the useronly the keys to the exact subset of data to which the user is entitled.Thus, the problem of distributing different data sets is reduced to theproblem of distributing different key sets, each key set being a subsetof a universe of keys.

If the universe of keys is large, then the subsets of keys that must becustomized and separately sent to each individual user may be large.This can impose substantial burdens on the distribution system.

For example, suppose that each of m customers in a cable televisionsystem, on which k pay-per-view shows are to be aired over a givenperiod, is to be given some subset of k keys. If each customer, onaverage, obtains rights to r of these k shows, then conventional methodswould require that a total of mr keys be distributed. There is a pointwhere the number of customers can be so large as to make distribution ofthe total number (mr) of keys impractical.

SUMMARY

Methods and systems are described herein that allow an encrypteddatabase and a single key to be given to each of multiple users so thateach user can access a subset of the database to which the user isentitled. The single key given to each user may be different from eachsingle key provided to each of the other users. From the single keyreceived by each user and a small amount of shared public information,each user can generate the entire set of keys—and only those keys—towhich the user is entitled.

In the example given above for the customers in a cable televisionsystem, the implementations described herein allow the total number ofkeys distributed to be reduced to m. This makes a significant differenceif the distribution is to take place over a limited medium such as acable or a single (same for everyone) CD or DVD.

In addition, the implementations describe a mechanism whereby each setof keys can be compressed into a single key whose size is dependent onlyon a security parameter. For example, the number of distinct keys thatcan be compressed into a 1024-bit value is limited only by the number ofdistinct primes less than 2¹⁰²⁴ (said number being in excess of 2¹⁰¹⁴).

A small odd prime integer (p_(i)) is associated with each datum to beprotected. No prime is associated with more than one datum, and the setof these primes and their association is completely public. The owner ofthe data selects two large prime integers and forms their product (N).The owner of the data also selects a random base integer value (x). Areference value (y) may then be formed as the random base integer value(x) raised modulo N to the power of the product of all small primesassociated with the data. This reference value (y) can be made public.

The content key used to encrypt each datum to be secured is a fixedfunction—such as a cryptographic hash—of the p^(th) root modulo N of thereference integer value (y), where p is the small odd prime integer.

In one or more implementation described herein, the content key isalternatively derived by raising x to the power, modulo N, of theproducts of all primes to which the user is entitled except for theprime associated with the datum associated with the content key. Inother implementations, the reference value (y) is used instead of thebase integer value (x), and content keys are computed as roots of (y)rather than powers of (x).

Each user is then given x to the power, modulo N, of the product of allprimes which are associated with data to which the user is not entitled.From this single value, a user can easily compute the content key forall data to which the user is entitled. However, a user cannot obtainany content keys corresponding to data to which the user is notentitled. Furthermore, no group of users can conspire to obtain accessto any content keys to which none of the participants have individualaccess.

In another implementation, a tree structure is created and utilized todecrease the number of modular exponentiations that must be calculatedto derive the content keys. This significantly reduces the amount ofprocessor time that must be allocated for such operations.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of exemplary methods and arrangements ofthe present invention may be had by reference to the following detaileddescription when taken in conjunction with the accompanying drawingswherein:

FIG. 1 is a block diagram of an exemplary content player that issuitable for use in connection with the described embodiments.

FIG. 2 is a high-level block diagram of an exemplary operatingenvironment in which the described embodiments can be practiced.

FIG. 3 is a block diagram showing an exemplary content player that canbe utilized in connection with the described embodiments.

FIG. 4 is a block diagram that describes an exemplary encrypted contentpackage that can be utilized in connection with the describedembodiments.

FIG. 5 is a flow diagram that describes steps in a method in accordancewith the described embodiments.

FIG. 6 is a block diagram that depicts the FIG. 3 content player and theFIG. 4 encrypted content package.

FIG. 7 is a flow diagram that describes steps in a method in accordancewith the described embodiments.

FIG. 8 is a block diagram that diagrammatically depicts exemplaryprocessing steps in accordance with one described embodiment.

FIG. 9 is a block diagram that diagrammatically depicts exemplaryprocessing steps in accordance with one described embodiment.

FIG. 10 is a block diagram that shows several exemplary content playersin connection with one described embodiment.

FIG. 11 is a block diagram that shows exemplary content players inconnection with one described embodiment.

FIG. 12 is a flow diagram that describes steps in a method in accordancewith the described embodiments.

FIG. 13 is a flow diagram that describes steps in a method in accordancewith the described embodiments.

FIG. 14 is a block diagram of a content provider/content player systemwhich utilizes the present invention.

FIG. 15 is a flow diagram outlining a method for deriving multipleencryptions keys, then deriving a single key from which each of theencryption keys may be derived.

FIG. 16 is a flow diagram outlining a method for extracting each of theencryption keys from the single key.

FIG. 17 depicts a tree structure that is created and used tosignificantly reduce the number of modular exponentiation calculationsthat must be performed to carry out the present invention.

DETAILED DESCRIPTION

The following description sets forth specific embodiments thatincorporate elements recited in the appended claims. The embodiments aredescribed with specificity in order to meet statutory requirements.However, the description itself is not intended to limit the scope ofthis patent. Rather, the inventors have contemplated that the claimedinvention might also be embodied in other ways, to include differentelements or combinations of elements similar to the ones described inthis document, in conjunction with other present or future technologies.

Exemplary Operating Environment

The inventive principles described below can be employed in connectionwith any database to which an owner of the database wishes to allowmultiple users access to different data subsets of the database. Forpurposes of discussion, the implementations will be described within thecontext of a multi-media distribution system and, in particular, asuitable digital content player.

The implementations may be employed in connection with any suitabledigital content player. One exemplary digital content player is a DVDplayer that is utilized in an example throughout this document. It is tobe understood, however, that the illustrated DVD player constitutes butone exemplary type of digital content player.

FIG. 1 depicts an exemplary DVD content player 100 that is suitable forpracticing the described embodiments. The content player 100 contains amemory 102; a central processing unit (CPU) 104; a video subsystem 109,including a video display 108 and a graphics controller 110; a soundsubsystem 112, including both an audio controller 114 and a speaker 116;a DVD drive 106; a video decoder 118; an audio decoder 120; an inputdevice 122; and a secondary storage device 124. The memory 102 containsan operating system 126, such as the MICROSOFT.RTM. WINDOWS.RTM. 95operating system available from Microsoft Corporation of Redmond, Wash.,and a DVD player program 128. The DVD player program 128 is responsiblefor reading an audio-visual stream from the DVD drive 106, decoding theaudio-visual stream using the audio decoder 120 and the video decoder118, and rendering both the audio and video portions of the audio-visualstream on the sound subsystem 112 and the video display 108,respectively, such that the video portion of the audio-visual stream issynchronized 11 with the graphics controller 110.

The graphics controller 110 controls operations of the video display108. The graphics controller 110 stores video data to be displayed onthe video display 108 and instructs the video display to display thestored video data. In order to store the video data, the graphicscontroller 110 has a limited amount of dynamic random access memory thatit uses.

Both the audio decoder 120 and the video decoder 118 can be implementedas hardware circuits using conventional techniques for decoding theaudio or video data, like MPEG 1, MPEG 2, or AC3. One skilled in the artwill appreciate that the audio decoder 120 and the video decoder 118 canalso be implemented in software. One skilled in the art will recognizethat the video decoder 118, although depicted separately from thegraphics controller 110, can be implemented as part of the graphicscontroller.

As previously stated, the DVD player 128 reads the audio-visual streamfrom the DVD drive 106 and renders the audio-visual stream using thevideo subsystem 109 and the sound subsystem 112. The DVD player 128operates as an application program running on the operating system 126,and utilizes the operating system to access the DVD drive 106.Specifically, the DVD player 128 reads the audiovisual stream byrequesting the operating system 126 to open a file on the DVD drive 106that contains the audio-visual stream and by reading the stream from theDVD drive using normal file system calls of the operating system.

Generally, the CPU 104 of system 100 is programmed by means ofinstructions stored at different times in the various computer-readablestorage media of the system. Programs and operating systems cantypically be distributed, for the illustrated system, on DVDs. Fromthere, they are installed or loaded into the secondary memory or storageof the system. At execution, they are loaded at least partially into thesystem's primary electronic memory. The invention described hereinincludes these and other various types of computer-readable storagemedia when such media contain instructions or programs for implementingthe steps described below in conjunction with a microprocessor or otherdata processor. The invention also includes the system itself whenprogrammed according to the methods and techniques described below. Forpurposes of illustration, programs and other executable programcomponents such as the operating system are illustrated herein asdiscrete blocks, although it is recognized that such programs andcomponents reside at various times in different storage components ofthe computer, and are executed by the CPU of the system.

The additional specifics of the operation of a DVD content player areunderstood by those of skill in the art and are not explored in anyadditional detail here.

Exemplary Embodiment

FIG. 2 illustrates but one exemplary environment in which the inventivetechniques described below can be employed. It is to be appreciated thatthe illustrated and described environment is for exemplary purposesonly, and to assist the reader in understanding, more tangibly, how thedescribed inventive principles can be employed.

The FIG. 2 system comprises a system in which there are a limited orpredetermined number of digital content players 200, 202, 204. In thisexample, the digital content players are labeled as “Player 1”, “Player2”, and “Player N”. As indicated above, the content players can compriseany suitable player that is capable of playing any type of digitalcontent that is embodied on a readable medium. For purposes of thisspecific example, however, the content players can comprise DVD players,such as the one shown in FIG. 1, that are configured to play movies thatare embodied on DVD discs. One exemplary environment in which such DVDplayers can be used—where there are a limited number of players—is thein-flight entertainment environment. Specifically, such content playersare typically installed, semi-permanently, in commercial airliners sothat airline passengers can enjoy in-flight movies. These in-flightmovies are provided on DVD disks. Like other sources of digital content,these DVD disks can be subject to acts of commercial piracy. This isespecially so because the DVD disks typically contain feature films thatare still in limited release. FIG. 2 also shows a content provider 206that provides content to the content players. The content provider 206can be any suitable content provider such as the owner of the digitalcontent. In the in-flight entertainment example, an exemplary contentprovider would be the owner or distributor of in-flight movies embodiedon DVDs.

In designing systems for operation in an environment where digitalcontent will likely come under attack, it is desirable to move in adirection away from specialized hardware solutions. That is, in thepast, special tamper-resistant hardware has been used in an attempt toprotect digital content. This hardware is typically installed in aplayer and is directed to ensuring that it protects its digital content.Specialized hardware solutions are not ideal because they provide amotivation for hardware theft. Additionally, commercial pirates, beingof a sophisticated nature, can generally design their own specializedhardware solutions that play back pirated content. Thus, if one is tomove away from specialized hardware solutions, the natural direction isa software solution.

One past software solution that is less than ideal is to specially markeach digital content copy, i.e. movie, with its own unique identifierand to associate the marked copy with a particular airline or airplane.If or when a marked movie is copied, the identifier can be identifiedthrough analysis, and then easily traced back to the airline that“leaked” the movie. Currently, there is a push away from suchserialization techniques because of the economics involved.Specifically, serially marking each copy of a movie is an undesirablyexpensive process. Yet, there remains a desire to preserve as muchtraceability and trackability as possible.

Thus, in the FIG. 2 system, the ideal system would be one in which eachof the content players is identical in design, and devoid of specializedhardware. In addition, it would be ideal for the digital content that isdistributed to each of the players to be identical. In this way, theeconomics of producing copies of the digital content are not adverselyimpacted.

One premise of the inventive design described below is that if a contentplayer is a good or valid player, then any disc containing the digitalcontent inserted into the player will play. If the disc containing thedigital content is inserted into a bad or invalid player (such as apirate's player), it will not play. Additionally, if the digital contenton the disc is stolen, it should be traceable to the content player fromwhich it came.

The techniques discussed below provide a way to take a single piece ofencrypted content and have multiple different keys to decrypt thecontent such that, when the different keys are utilized to decrypt thecontent, the decrypted versions of the content will indicate which key,and hence, the content player from which it came. One aspect of thesetechniques is that a single consumer is required to possess manydifferent keys to decrypt the content. These multiple keys must betransmitted to the customer. If the number of keys required is small,e.g., eight keys, such transmission of the keys is not prohibitivelyexpensive. However, if the number of keys is large, e.g., severalhundred, transmitting the keys to the consumer may be very expensive, interms of resource overhead.

The inventive principles outlined below define implementations in whichmultiple keys can be “compressed” into a single key. The same encryptedcontent is transmitted to each consumer (or content player). Eachconsumer also receives a private key that the consumer can manipulate(with some public information) to derive a set of multiple keys that canbe used to access the portions of the content to which the consumer isentitled.

Exemplary Content Player

FIG. 3 shows content player 200 in somewhat more detail, along withother components that comprise an exemplary inventive system.Specifically, unencrypted content 300 is provided and constitutes anysuitable type of digital content that is to be protected. In thisparticular example, content 300 comprises a movie that resides on a DVDand is to be used for in-flight entertainment. A content key 302 isprovided and is used to encrypt all of the digital content on the DVD toprovide encrypted content 304. The content key can be any suitablecontent key, as will be appreciated and understood by those of skill inthe art. In the illustrated example, the content key is a symmetriccryptographic key. The content key encryption is typically carried outby the manufacturer of the DVD that carries the encrypted movie.

Now, if player 200 possesses the content key 302 then it can use thecontent key to decrypt and play the encrypted movie. If player 200 doesnot possess the content key, then it cannot decrypt and play the movie.

The following discussion illustrates but one exemplary way of securelyproviding the content players with the encrypted content key 302.

In the illustrated and described embodiment, player 200 is provided withtwo pairs of public/private keys. A key-loading pair 306 includes apublic key 308 and a private key 310. A device key pair 312 includes apublic key 314 and a private key 316. It is possible, however, for theplayers to have only a device key pair, as will become apparent below.

Every content player is configured to generate its own uniquekey-loading pair 306. The player maintains and protects the key-loadingprivate key 310 and provides the key-loading public key 308 to an entitywhose responsibility it is to assign device key pairs. This entitymight, for example, comprise the manufacturer of the content player.This entity maintains a list of content player serial numbers and theircorresponding key-loading public keys. The manufacture also maintains alist of device key pairs that are to be used by the individual contentplayers. The manufacturer uses the public key 308 of the key-loadingpair 306 to encrypt the private key 316 of the device key pair 312. Theencrypted private key 316 is then securely transferred to the contentplayer. At this point, the content player can use the private key 310 ofthe key-loading pair 306 to decrypt the private key 316 of the devicekey pair 312. Note that the above discussion 11 pertains to a system inwhich the device key pairs are externally generated by an entity such asa manufacturer. It is possible for the players to generate their owndevice key pairs after they are manufactured and export their publicdevice key to the manufacturer. This latter scenario would be the moresecure of the two insofar as it reduces the possibility that a privatedevice key might be compromised. Using a key-loading pair, however,makes it possible for subsequent device keys to be provided to thecontent player if, for example, the content player must be removed andserviced. In that case, the device keys for the content player wouldneed to be erased to prevent compromise. Of course, it is possible forthe content player to regenerate a new device key pair.

Accordingly, at this point, each content player has a device key pair,such as key pair 312, regardless of the way such pair came into being.The public device key 314 is then used, as indicated in the rightmostportion of the figure, to encrypt the content key 302 to provide anencrypted content key 318. The encrypted content key can then beprovided to the player 200 and decrypted using the player's privatedevice key 316. The player can now use the content key to decrypt theencrypted content 304.

Thus, the above discussion illustrates but one way of securely providinga content key to a content player so that the content player can use thecontent key to decrypt encrypted content. In the illustrated scenario ofin-flight entertainment systems, the content players are essentiallyself-contained so that there are no additional communication lines intoor out of the content player. With no additional communication lines,there must be some way of providing the encrypted content key to theplayer.

FIG. 4 shows an exemplary solution to this situation in the form of anencrypted content package 400, which includes the encrypted content 304(which, in this example, is the encrypted movie) and a so-calledencrypted content key assembly 402. Both the encrypted content 304 andthe encrypted content key assembly 402 are provided on the DVD. Theencrypted content key assembly 402 contains multiple encrypted contentkeys 318 a-n-one for each valid content player. So, in this examplewhere there are 1 through N content players, the encrypted content keyassembly contains an encrypted content key for each content player.

FIG. 5 is a flow diagram that describes a method of associatingencrypted content with a content key that was utilized to encrypt thecontent. Step 500 encrypts digital content with one or more contentkeys. Any suitable content key can be used. Step 502 encrypts thecontent keys with different public device keys. This provides multipledifferently encrypted content keys. Step 504 associates the encrypteddigital content with one or more of the encrypted content keys. In theabove example, this association is embodied in an encrypted contentpackage 400. Step 506 distributes the associated encrypted content andencrypted content keys to one or more content players. In the aboveexample, distribution takes place by embodying the encrypted contentpackage 400 on a DVD and distributing the DVD to suitable contentplayers.

With the encrypted content package having been formed, it can now beprovided to the various content players, as indicated by FIG. 6. In thisexample, the encrypted content package 400 is provided to a particularplayer by inserting a DVD embodying the encrypted content 304 andencrypted content key assembly 402 into the content player. The playeris configured to find the content key(s) that have been encrypted withits public device key 314 (FIG. 3), decrypt the encrypted content key(s)using its private device key, and then decrypt the encrypted content 304using the content key(s) so that the content or movie (in this example)can be displayed. Thus, only authorized content players are able toaccess the encrypted content key(s) to decrypt the movie. Anyunauthorized content player will not be able to decrypt the encryptedcontent.

FIG. 7 is a flow diagram that describes a method of accessing encryptedcontent. The method can be implemented in any suitable hardware,software, firmware or combination thereof. In the illustrated in-flightentertainment example, the method is implemented by a content player.

Step 700 receives encrypted content and one or more encrypted contentkeys. In the illustrated example, the encrypted content and contentkey(s) are embodied as an encrypted content package on a common mediumin the form of a DVD. Advantageously, in this example, multipledifferentially encrypted content keys are provided in the form of anencrypted content key assembly, such as assembly 402 in FIG. 400. Thecontent keys are desirably encrypted using the public device key foreach of the players to which the encrypted content is distributed. It ispossible, however, for the encrypted content and the encrypted contentkey to be separately received by a content player. For example, acontent player might comprise a set-top box that first receives theencrypted content key(s), and then receives the encrypted content. Step702 locates the encrypted content key(s) that corresponds to the contentplayer in which the encrypted content is received. Step 704 decrypts theencrypted content key(s) using the private device key of the contentplayer. Step 706 then uses the decrypted content key(s) to decrypt theencrypted content that was received.

This approach works especially well in environments where there are onlya limited number of content players. The approach provides a secure,self-contained package that can only be opened by authorized contentplayers. One of the problems with the above system, however, is that ifthe content is valuable enough, a pirate could conceivably steal orotherwise access a content player to get to the encrypted contentpackage. The pirate could then conceivably access the encrypted content304 in much the same way as the player would. Accordingly, what isneeded and desirable is a system similar to the one described above, butin which any unauthorized copies of digital content are directlytraceable to the particular content player, or more specifically, theparticular content key(s) that were used to access the digital content.

Exemplary Differential Decryption System and Method

Digital fingerprinting is commonly desired to offer some protection fordigital content. Traditionally, when intellectual property such asfilms, songs, or even software is illegally copied and resold, there islittle if any ability to trace the source of the leak. Individuallyfingerprinting each legitimately distributed copy offers some measure ofprotection, but also presents a large burden. The approach about to bedescribed drastically reduces this burden, regardless of thefingerprinting system used.

The embodiment about to be described carries with it some advantages ofwhich the inventors are unaware in other protection schemes. First, evenif a content player is stolen or otherwise compromised and the contentdecrypted with its associated content key(s), the decrypted contentitself inherently indicates the source of the content. Thus, if and whenillegal copies are made, the source of the content is readilyidentifiable. Second, the overall system is dynamic in the sense that itis not dependent on any one fingerprinting technology. That is, asfingerprinting technology continues to evolve, new techniques can beeasily and seamlessly incorporated into the inventive systems withoutany need to modify the content player's hardware.

In the discussion that follows, any suitable fingerprinting (orwatermarking) method can be used. Such methods will be understood bythose of skill in the art. FIG. 8 shows unencrypted content 800 whichcan be any suitable unencrypted content. In the in-flight entertainmentexample, the unencrypted content comprises a movie.

At this point, the unencrypted content has not been placed onto themedium that will ultimately carry it to the content player. All or partof the unencrypted content is partitioned into multiple partitions. Thepartitioning of the content can take place over the entire content, orjust a portion. For example, an entire movie can be partitioned, orseparate individual partitions can be defined within the body of themovie itself. In the movie embodiment, these partitions are also termed“clips”. A clip or partition should be large enough to support afingerprint or watermark therewithin. In the illustrated example,multiple partitions corresponding to the unencrypted content 800 areshown at 802, 804, 806, 808, and 810. Once the partitions have beendefined one or more copies of each partition or clip is made to definemultiple corresponding partition sets. Each of the individual partitionsof a partition set is then separately and uniquely marked, as by anysuitable fingerprinting or watermarking technique. For example, in theillustrated figure, partition 802 has a corresponding partition 802 a.Partition 802 is designated as “A” and partition 802 a is designated as“A*” to indicate that the partitions are corresponding partitions thathave been separately and uniquely marked with a different fingerprint orwatermark. Together the individual partitions 802, 802 a define apartition set 812. The same can be said of the remaining partitions.That is, each partition 804, 806, 808, and 810 has a correspondingrespective partition 804 a, 806 a, 808 a, and 810 a. These correspondingpartitions define partition sets 814, 816, 818, and 820 respectively.Each of the partitions within a partition set is uniquely and separatelymarked with a different fingerprint or watermark. It will be appreciatedthat any portion of the partition or clip can be fingerprinted. Forexample, with a movie, the audio and/or video bit stream could have afingerprint inserted therein. Flexibility is provided in that any knownor subsequently developed fingerprinting or watermarking technique canbe utilized.

As an aside, it will be appreciated that the definition and marking ofthe individual partitions need not take place in that order or asseparate steps. Specifically, it is possible for the partitions to beinherently defined and marked in the very process that is used to createthe unencrypted content. For example, with respect to a movie, severalscenes of the movie might be filmed with two different cameras atslightly different angles. In this case, the movie scenes would comprisethe partition or clip, and angular difference as between the two filmedscenes would provide a mechanism by which the scenes are uniquely markedor fingerprinted.

After the partitions are defined and uniquely marked as described above,each partition of a partition set is encrypted with a different key.

FIG. 9 shows, for example, partition sets 812-820 on the leftmost sideof the figure and the resultant encrypted partition sets 812 a-820 a onthe rightmost side of the figure. Individual different keys areassociated with each of the uniquely marked partitions. For example,partitions 802, 804, 806, 808, and 810 are associated respectively withKeys A′, B′, C′, D′, and E′. These keys are utilized to encrypt thepartitions to provide respective partitions 802 b, 804 b, 806 b, 808 b,and 810 b of partition sets 812 a-820 a. Similarly, partitions 802 a,804 a, 806 a, 808 a, and 810 a are associated respectively with KeysA*′, B*′, C*′, D*″, and E*′. These keys are different from Keys A′, B′,C′, D′, and E′ and are used to encrypt partitions 802 a, 804 a, 806 a,808 a, and 810 a to provide partitions 802 c, 804 c, 806 c, 808 c, and810 c of partition sets 812 a-820 a.

Accordingly, at this point, all of the partitions have been uniquelymarked (as by suitable fingerprinting or watermarking techniques) andencrypted with different keys. Next, individual unique key collectionsare defined in which in any one collection there appears one and onlyone key for one partition or clip in each partition set. In theillustrated example, no two key collections are the same. Thus, if thereare N original partitions or clips (before copying and marking takesplace), each content player would receive a key collection comprising Nkeys. In this application, no two key collections are identical. Eachkey collection is then associated with a corresponding content playerand encrypted with the content player's public device key. Recall thatby encrypting the key collection with the content player's public devicekey, only the content player with the corresponding private device keycan decrypt the encrypted key collection to access the encryptedcontent. When the content player accesses the encrypted key collectionand decrypts it using their private device key, they now have thecorresponding keys to decrypt the encrypted partitions or clips. Whenthe partitions or clips are decrypted, the content player is presentedwith a uniquely fingerprinted version of the original digital content.For purposes of this document, a key collection for a content player canbe considered as a “content key”.

It will be appreciated that the encrypted content and the encryptedcollection of keys for each content player can be delivered via anysuitable medium. For example, the encrypted content might be deliveredover a transmission medium such as the Internet, with the individualencrypted key collection for a particular player being delivered in thesame manner. Alternately, the encrypted content and an encrypted keycollection might be delivered commonly on the same medium. In thein-flight entertainment example, recall that one of the motivations wasto provide identical DVDs for each valid content player. This means thatnot only does the encrypted content have to be identical, but the DVDshould contain all of the encrypted key collections for each of thevalid content players. Thus, if there are 50,000 valid DVD players, thenthere should be 50,000 encrypted collections of keys-one for eachcontent player.

FIG. 10 shows content players 200, 202, and 204. Each of the contentplayers has been loaded with an identical DVD containing an encryptedcontent package 400. Each encrypted content package 400 includes theencrypted content 304 having the encrypted uniquely marked partitions orclips, as well as the encrypted content key assembly 402 containing allof the key collections that have been encrypted with each contentplayer's public device key. (As will be discussed in greater detail,below, the encrypted content key assembly 402 actually contains onecompressed key for each content player. The content player derivesmultiple keys, or a key collection, from the compressed key.)

FIG. 11 diagrammatically illustrates the process by which the individualcontent players access their individual compressed keys to derive theirindividual encrypted key collections and decrypt them to access the keysthat have been used to encrypt the individual partitions or clips.Specifically, and with reference to content player 200, the contentplayer is programmed to access the encrypted content key assembly 402 tofind their encrypted key collection 1100. Once the player locates itsencrypted key collection 1100, it decrypts it using its private devicekey 316 to provide the unencrypted key collection 1102. In thisparticular example, the unencrypted key collection for player 200comprises the following keys: A′, B′, C*′, D*′, and E′. Similarly,player 202 accesses its encrypted key collection 1104 and decrypts itusing its private device key 316 a to provide the unencrypted keycollection 1106. In this particular example, the unencrypted keycollection for player 202 comprises the following keys: A*′, B′, C′, D′,and E*′. Notice that the key collection is different for each of thecontent players. The same can be said of all of the content players inthe universe of content players. Accordingly, no two content playershave exactly the same key collection. As such, it logically follows thateach content player, by virtue of using its unique key collection todecrypt the content's partitions, is presented with a slightly differentversion of the original digital content. Recall that each individualpartition is individually differently fingerprinted or watermarked. As aresult, when the partitions are decrypted by the content players, eachindividual version of the digital content is uniquely fingerprinted.Because the unique key collections are associated with the individualcontent players, if an unauthorized copy is made, its fingerprint can beascertained and hence, from this information, the key collection thatwas used to decrypt the content can be ascertained. Because each contentplayer was given a unique key collection, the precise content playerfrom which the digital content was obtained can be ascertained.

FIG. 12 is a flow diagram of steps in a method in accordance with thedescribed embodiment. The method can be implemented in any suitablehardware, software, firmware, or combination thereof. In the illustratedexample, these steps are likely to implemented by the manufacturer of aDVD or its assignees prior to distribution of its digital content. Step1200 partitions unencrypted content into multiple partitions. This canbe done by in any suitable way. For example, the unencrypted content cancomprise the audio stream of a movie and suitable places to partitionthe audio stream can be ascertained by looking for where the stream isthe least complex. Alternately the video stream can be partitioned. Step1202 makes multiple copies of the partitions to provide multiplecorresponding partition sets. Examples of partition sets are given inFIG. 8. Step 1204 uniquely marks each individual partition of apartition set. This can be accomplished using any suitable known orsubsequently developed fingerprint or watermarking technique. Recallalso that these steps can be implemented in a more integrated fashion asthrough the use of multiple camera angles in certain movie scenes. Inthat case, by virtue of using two different camera angles for thecertain movie scenes, the unencrypted content (i.e. the entire movie)can be considered as being partitioned into partitions (step 1200) withmultiple copies of the partition being made (step 1202). The multiplecopies would, in this case, be provided by the different camera angles.The act of filming the movie scenes from the different camera angleswould uniquely mark each individual partition.

Step 1206 associates a unique key with each uniquely marked partition.An example of this is given in FIG. 9. Step 1208 encrypts each partitionwith its unique key.

Step 1210 defines individual unique key collections containing one keyfrom each corresponding partition set. The individual keys that compriseeach key collection are selected so that no two key collections containall of the same individual keys. Each of the key collections is thenassociated with a corresponding content player (step 1212). At thispoint, consider for example, one of the advantages of this system. Thepresently described association of unique key collections is differentfrom other systems that have been employed in the past for the followingreason. Here, the particular key collection that authorizes a contentplayer to access the encrypted content is inextricably bound to aparticular fingerprint in an index of fingerprints. In other words,there is a unique fingerprint for each version of the digital contentthat a content player is to play. That unique fingerprint isinextricably associated with the authorized key collection for aparticular content player. By virtue of decrypting the encrypted contentusing its unique key collection, a content player inherently exposes afingerprint that points directly back to that content player.

Step 1214 encrypts each key collection for a content player with itspublic device key. Step 1216 then provides the encrypted content and theencrypted key collection to each content player. This step can beimplemented by first providing the encrypted content and then secondproviding the encrypted key collection. That is, the provision of theencrypted content and key collection need not take place at the sametime. For example, an encrypted key collection might be provided to acontent player such as a set-top box. Subsequently, encrypted contentcan be delivered to the set-top box and decrypted using the individualkeys of the key collection. Delivery of the encrypted content and keycollection can take place via different delivery media. For example, theencrypted content might be delivered via the Internet, while theencrypted key collection resides on a smart card or the like. In otherembodiments, both can be delivered together on the same media. Forexample, a DVD might carry both an encrypted movie as well as anencrypted key collection for the content player. Additionally, in thein-flight entertainment example given above, we see how it is possiblefor the encrypted content and multiple differently encrypted keycollections to be delivered together.

FIG. 13 is a flow diagram that describes steps in a method for receivingand playing encrypted content in accordance with the describedembodiment. This method can be implemented by suitably programmedcontent players. As mentioned above, any suitable content players can beutilized in connection with any suitable encrypted content. In aspecific example, the content player comprises a DVD player.

Step 1300 receives encrypted content. The encrypted content can bereceived via any suitable content-carrying medium. One exemplary andnon-limiting example of such a medium is a DVD. The encrypted contentcontains different encrypted versions of the original digital content.In the examples given above, these different versions are embodied inmultiple partitions or clips that are separately marked and encryptedwith different keys. Step 1302 receives an encrypted key collection thatcontains individual keys that can be utilized to decrypt selectedpartitions of the encrypted content that is received. The encrypted keycollection can be received via any suitable medium. Such medium can bethe same as or different from the medium that is used to deliver theencrypted content. Additionally, receipt of the encrypted key collectioncan take place either contemporaneously with, or at a time that isdifferent from when the encrypted content is received. Step 1304decrypts the associated encrypted key collection to provide anunencrypted key collection. In the example above, this is done by theplayer using its private device key (with the key collection having beenencrypted with the player's public device key). In embodiments wheremultiple encrypted key collections are provided to a content player, asin the in-flight entertainment example, the player would first ascertainits specific encrypted key collection from the assembly of keycollections it received and then decrypt it. Step 1306 then selects apartition that is associated with each key of the decrypted keycollection and step 1309 decrypts each selected partition using theassociated key. Step 1310 then plays the decrypted partitions.

“Compressing” The Encrypted Content Keys Into a Single Key

Although the implementations described above work well to solve theidentified problems, another problem may arise in the use of suchmethods if the number of keys provided to each content player issignificantly large. For example, to prevent certain kinds of collusionattacks, it may be desirable to provide a thousand or more distinctcontent keys. If the number of content players and the number of contentkeys per player are large, then depending on the medium on which thecontent and keys are situated, the total number of content keys maybecome prohibitively large. If, however, each content player requiresonly a single key, then the number of content keys on the medium may bereduced by a factor of a thousand or more.

FIG. 14 is a block diagram that depicts a provider/player system 1400that includes a content provider 1402 and a content player 1404. Thesystem 1400 includes a digital database 1406 comprising unencryptedcontent. The database 1406 is shown having a first version of a movie1408 and a second version of a movie 1410. The first version of themovie 1408 differs from the second version of the movie 1410 in someslight way so that the first version of the movie 1408 can bedistinguished from the second version of the movie 1410, as previouslydescribed.

In the present example, the database 1406 is logically divided intoeight (8) segments 1412-1426. The first version of the movie 1408comprises segment 1412, segment 1416, segment 1420 and segment 1424. Thesecond version of the movie 1410 comprises segment 1414, segment 1418,segment 1422 and segment 1426. The segments 1412-1426 may be mixed tocreate a mixed version of the movie. For example, a movie may consist ofsegment 1412, segment 1418, segment 1422 and segment 1426. Althoughthere are eight total segments, but only four segments are needed toview the entire movie. In this example, there are sixteen (2⁴)combinations of segments that will render a complete movie. If, forexample, the movie were divided into 10 segments, there would be 1,024(2¹⁰) possible mixed versions. If there were three versions of the moviedivided into four segments, then there would be 81 mixed movies (3⁴),and so on. The segmentation of the movies and the number of movieversion is irrelevant to the inventive principles described herein.

A prime set 1428 is created that contains prime numbers, each primenumber corresponding to one segment 1412-1426. Although any primenumbers may be used, for efficiency considerations, small prime numbersare advantageous in this method. Furthermore, the numbers correspondingto the segments do not have to be prime numbers, they may simply beordinals, though this is less efficient than if the number are prime.However, it is noted that any reference below to a prime set may alsoinclude an ordinal set, and any reference below to a prime subset mayalso include an ordinal subset. The ordinal set and the ordinal subsetare not necessarily prime numbers, as composite integers can also beused. Thus, the “prime set” 1428 need not actually consist of primenumbers.

The small prime numbers and their associated segments are publiclyknown. In FIG. 14, the prime numbers associated with the segments are:Segment Prime Number 1412 3 1414 5 1416 7 1418 11 1420 13 1422 17 142419 1426 23

For convenience, an ordinal may also be assigned to each segment tocreate an index subset 1430. In the present example, the followingindices are associated with the following segments: Segment Index 1412 11414 2 1416 3 1418 4 1420 5 1422 6 1424 7 1426 8

The content provider makes a determination as to which segments1412-1426 will be selected to make up a movie for use on the contentplayer 1402. For discussion purposes, assume that a movie, M, to be usedfor the content player 1402, is comprised of segment 1 (1412), segment 4(1418), segment 6 (1422) and segment 7 (1424). A prime subset (PS) 1446is associated with movie M, in this instance consisting of PS={3, 11,17, 19}. The index subset 1430 that is associated with the movie M is,therefore, I={1, 4, 6, 7}.

The content provider 1402 includes a key compression system 1432, anencryption module 1434 and an encryption content package 1436 that issimilar to the encryption content package 402 of FIG. 4. The keycompression system 1432 includes an integer modulus generator 1438 thatis configured to select two large prime integers Q₁ and Q₂ and formtheir product, N=Q₁Q₂ (N=the integer modulus 1439). Although it is notstrictly required, it is preferred that Q₁ and Q₂ each be safe primes(one greater than twice a prime). It is required that no prime number inthe prime set, P, 1428 divide either (Q₁−1) or (Q₂−1). It is noted thatN may comprise the product of more than two prime numbers or N may bearbitrarily selected. However, in the preferred implementation, N is theproduct of two large prime numbers.

A random integer generator 1440 selects a random value, x, in themultiplicative subgroup of the integers modulo N. In other words, x hasno factors (greater than one) in common with N. Furthermore, the randomvalue, x, is greater than one but less than (N−1) (1<x<N−1). A prime setderivation module 1442 derives the prime set 1428 associated with theunencrypted content (movie segments 1412-1428). A prime subsetderivation module 1444 is configured to derive a prime subset 1446 thatincludes the prime numbers from the prime set 1428 that are associatedwith the data subset that comprises each instance of a movie, M.

A key encryption module 1448 is configured to derive data encryption key1 1451, data encryption key 2 1452, data encryption key 3 1453, dataencryption key 4 1454, data encryption key 5 1455, data encryption key 61456, data encryption key 7 1457 and data encryption key 8 1458. Insteadof being chosen at random, the data encryption keys 1451-1458 areselected (pre-hash) to be the pth root modulo N of the random value, x,raised to the product of all prime numbers in the prime set 1428 (wherep is the prime number in the prime set 1428 that is associated with thesegment for which a key is being derived).

For example, to derive encryption key 1 1451, a value, y, is derived byraising the random value x, modulo N, to the product of all primes inthe prime set 1428:y=x^(IIP).

A preliminary encryption key is thus:PK₁=y^(1/p1) mod N.

Another way to derive the preliminary encryption key without having todeal with roots, is to apply the following formula:PK₁=x^(IIP/p1) mod N,where p1 is the prime number associated with data segment 1 1412. It isnoted, however, that reference made herein to exponentiation alsoapplies to taking roots of a value, since taking a root implies raisinga value to a fractional exponent.

The data encryption key 1 1451 is then found by applying a fixeddeterministic function (such as a hash) to the preliminary encryptionkey:K₁=SHA-1(PK₁).

No requirements are placed on this fixed deterministic function (itcould even be the identity function). However, use of a cryptographichash function such as the Secure Hash Algorithm (SHA-1) may enhance thesecurity of the system.

The encryption key derivation module 1448 derives each of the other dataencryption keys 1452-1458 in this manner. The data encryption keys1451-1458 are then applied to the unencrypted content 1406 as previouslydescribed to derive the encrypted content 1459.

A compressed key generator 1460 generates a single, compressed key 1461from which each of the data encryption keys in M—1451, 1454, 1456 and1457 in this example—can be derived. The compressed key (CK) 1461 isdetermined by raising x modulo N, to the power of all primes that are inthe prime set 1428 but not in the prime subset 1446 consisting of primesassociated with keys 1451, 1454, 1456 and 1457-a complement prime set,CP:CK=x^(II(CP)) mod N.

Alternatively, if dealing with roots and the previously defined value,y, instead of exponents, the compressed key, CK, is derived by raisingy, modulo N, to the power of all primes in the prime subset, PS:CK=y^(II(PS)) mod N.

The encrypted content package 1436 includes the encrypted content 1459,the compressed key 1461, the integer modulus (N) 1439, the prime subset(PS) 1446, and the index (I) 1430). The encrypted content package 1436is provided to the content player 1404.

In an alternative implementation of the key compression subsystem 1432,the integer generator 1440 is not required to be random. In thisimplementation, the output of 1440 (denoted by (y)) is used by the keyderivation module 1448 to generate preliminary encryption keys byapplying the formula:PK₁=y^(1/p1) mod N.The compressed key generator 1459 can then derive a compressed key byapplying the formula:CK=y^(1/II(PS)) mod N.

A key recovery module 1462 is included in the content player 1404 and isconfigured to generate the data encryption keys 1451, 1454, 1456 and1457 so that the encrypted content 1459 may be decrypted. It is notedthat the key recovery module 1462 is configured to generate each dataencryption key 1451-1458 that may be included in the compressed key. Inthe present example, however, only data encryption keys 1451, 1454, 1456and 1457 may be recovered by the content player 1404, since these dataencryption keys correspond with the data segments that make up the moviein this example, M.

To derive data encryption key 1 1451, the key recovery module 1462raises the compressed key 1461 to the power, mod N, of the product ofthe prime numbers in the prime subset (PS) 1446 except for the primenumber associated with the segment corresponding to the key to berecovered, in this case, segment 1 1412.

This derives a preliminary data encryption key:PK₁=CK^(IIP/p1) mod N

The data encryption key 1 1451 is then derived from the correspondingpreliminary data encrypt key by applying the same fixed deterministicfunction that was applied to derive the data encryption key 1 1451:K₁=SHA-1(PK₁)

The remaining data encryption keys 1454, 1456 and 1457 are derived inthe same manner. The data encryption keys 1451, 1454, 1456 and 1457 maythen be used to decrypt the encrypted content 1459 and access thecontent that, in this case, is movie M.

This method may be utilized for each movie derived from segment 1 1451through segment 8 1458. Although, in this discussion, only sixteendistinct movies may be constructed, in practical use there may behundreds or thousands of distinct movies and, hence, compressed keys.

In one implementation, a content provider would publicly provide theencrypted content together with various parameters—such as the modulusand the list of primes—on a computer-readable medium. Many compressedkeys could be provided either on the same medium or on a differentmedium, each compressed key allowing a user to access a subset of theencrypted content. By encrypting the compressed keys, each compressedkey could be protected from use by an unauthorized user. Each user wouldbe assigned a compressed key. If there are more compressed keys on themedium than there are users, a new user could be provided access to adata subset simply by providing the new user with the medium and themeans to decrypt one of the compressed keys already on the medium.

FIG. 15 is a flow diagram depicting a general method for deriving asingle, compressed key from which multiple keys may be derived. Themethod will be described in general terms of a database owner derivingencryption keys, encrypting database data, choosing a data subset fromthe database data, deriving a compressed key corresponding to the datasubset, and transmitting information to a customer that allows thecustomer to use the compressed key to access the data subset.

At step 1500 an owner of a database logically divides the database intodata segments. The segmentation is arbitrary and may be as simple asletting each datum of the database comprise one data segment. A smallprime number is associated with each data segment at step 1502, andordinals are associated with each data segment to create an index atstep 1504. It is noted that, although prime numbers are associated withthe data segments at step 1502, composite numbers may be used inaddition to—or in place of—the prime numbers. Ideally, however, primenumbers should be used.

At step 1506, the integer modulus, N, is formed as the product of twolarge prime numbers. It is noted that more than two prime numbers may beused in step 1506, although doing so may be less efficient. A randomvalue, x, is then selected wherein x and N do not have any factors incommon and 1<x<(N−1) (step 1508).

At step 1510, the owner determines a prime set that includes all theprime number that are associated with the database. In FIG. 14, theprime set is:

-   -   P={3, 5, 7, 11, 13, 17, 19, 23}.

A preliminary key is derived for each data segment at step 1512 byraising the random value x, modulo N, to the power of the product of theprime numbers in the prime set except for the prime number associatedwith the data segment for which the key is being derived. For example,deriving a preliminary key for data segment 1 (PK₁) entails solving:PK₁=x^(II(P)/pi) mod N,orPK₁=x^((5·7·11·13·17·19·23)) mod N.

A final key for data segment 1 is derived at step 1518 by applying afixed deterministic function, such as a cryptographic hash, to thepreliminary key for data segment 1:FK₁=SHA-1(PK₁).

A final key is derived for each of the data segments in the database. Atstep 1520, the owner of the database encrypts each segment with itsassociated data encryption key.

At step 1522, the owner of the database determines a data subset for thecustomer. The data subset is denoted as a set of indices. For example,referring back to the example given with reference to FIG. 14, the datasubset that is sent to the customer comprises the set I={1, 4, 6, 7}.The customer will receive the index and will understand the associationbetween the indices and the database.

At step 1524, the owner determines a complement prime subset, CP, thatincludes the prime numbers of the prime set that are not associated withany data segment in the data subset to be given to the customer. In theabove example, the complement prime subset comprises:

-   -   CP={5, 7, 13, 23}.

At step 1522, a compressed key (CK) is generated by the owner. Thecompressed key is generated such that only the specified data encryptionkeys can be extracted from the compressed key. This is accomplished bysolving:CK=x^(II(CP)) mod N,

-   -   where CP is the complement prime set. Therefore, the equation        becomes:        CK=x^((5·7·13·19)) mod N.

At step 1524, the owner sends the encrypted data, N, the prime set, theprime subset and the index to the customer, together with the compressedkey for the customer. The customer then extracts the keys that give thecustomer access to the data to which the customer is entitled.

FIG. 16 is a flow diagram depicting a general method for extractingmultiple keys from a single key. At step 1600, the customer receives theencrypted content package from the owner that was sent at step 1524. Thecustomer extracts a preliminary key for each data segment in the datasubset to which the customer is entitled by raising the compressed key,modulo N, to the power of the prime numbers in the prime subset exceptfor the prime number associated with the data segment for which a key isbeing extracted (step 1602). This is accomplished by solving:PK_(i)=CK^(II(PS)/pi) mod N.

This is done for each data segment in the data subset. A final key isthen obtained for each data segment at step 1604 by applying the samefixed deterministic function that was applied to generate the key. Forexample:FK_(i)=SHA-1(PK_(i)).

The customer now has a complete set of keys (one key for each datasegment in the data subset), which can be used at step 1606 to decryptthe data to which the customer is entitled.

Efficient Exponentiation Calculation

To recover a single key, k_(i), it is apparent that a customer needs totake its compressed key set, CK and raise it, modulo N, to the power ofall prime numbers, other than the prime number associated with k_(i), inthe prime subset, PS. Thus, the computational costs grow linearly withthe number of data to which a customer is granted access.

However, if a customer wants to recover more than one key at a time, theamortized costs shrink rapidly. For example, a customer can compute twoseparate keys with only one small-prime-number modular exponentiationmore than is required to compute a single key. This can easily beaccomplished by raising the compressed key set, CK, to the power of allprime numbers in the prime set, P, other than the two distinguishedprime numbers. This intermediate value can then be separatelyexponentiated by each of the two remaining primes to form thepreliminary keys corresponding to the two desired keys.

In the present example, wherein there are four keys to be recovered, itcan be seen that for the first key, the compressed key must be raised tothe power, modulo N, of the product of the other three primes in theprime subset. Likewise, for the second key, the compressed key is raisedto the power of three primes. The same is true for the third key and thefourth key. As a general rule, proceeding in this manner, (L)(L−1)exponentiations must be calculated (where L equals the number of keys tobe recovered.) In this example, the number of exponentiations is twelve,or four times three. This number is not significant, but if there areone thousand keys to be recovered, there must be 999,000exponentiations. This number is quite significant. By utilizing a treestructure as described below, the number of exponentiations can bereduced to L log₂ L small prime exponentiations. In the case of onethousand keys, this reduces the number of exponentiations fromapproximately one million to approximately twenty thousand, about fiftytimes less. It is apparent that savings on this order of magnitude aresignificant.

FIG. 17 depicts a tree structure that can be used to reduce calculationoverhead for the described implementations. In general, if M keys are tobe recovered, a tree can be formed with a value at the root equal to thecompressed key set raised, modulo N, to the power of all primes in theprime subset, PS, except those corresponding to the keys to berecovered.

Root node 1700 contains the compressed key, Z, which is equal to thebase value x raised to the power, modulo N, of the prime numbers in thecomplement prime set, CP, i.e., 5, 17, 13 and 23. A balanced binary treeis now constructed by associating each of the remaining primes of theprime set (i.e., all of the primes in the prime subset) with a leaf ofthe tree. Each node of the tree will now contain the compressed key set,Z, raised to the power of all prime numbers in the prime set other thanthose associated with the leaves of its sub-tree. As a result, M modularexponentiations must be done at each of the log M levels of the tree inorder to complete the tree. The values at the leaves correspond to the Mnewly recovered preliminary keys.

Root node 1700 has two sub-nodes, node 1702 and node 1704. Node 1702comprises the compressed key set, Z, raised, modulo N, to the powers of3 and 11. Node 1704 comprises the compressed key set, Z, raised, moduloN, to the powers 17 and 19. Leaf node 1706 comprises the value in node1702 raised, modulo N, to the power of 17. Therefore, the value of leafnode 1706 is preliminary key PK₁. Similarly, the values in leave nodes1708-1712 correspond to preliminary keys PK₄, PK₆ and PK₇, respectively.

Ideally, when recovering keys from a compressed key, a depth-firsttraversal is used to construct the tree. However, any practical methodknown in the art may be used to construct the tree structure.

As the exponential calculations are being performed, the tree isconstructed. The root node 1700 represents the compressed key 1461 andthe leaf nodes 1706, 1708, 1710, 1712 represent the decompressed keys1451, 1454, 1456, 1457. The intermediate nodes 1702, 1704 are simplyvalues that are used for deriving more than one leaf node 1706-1712.

For example, to derive leaf node 1706, the value represented byintermediate node 1702 is derived. This must be done separately for eachkey if the keys are derived separately. However, if key 1451 and key1454 (leaf nodes 1706 and 1708) are both to be derived, then each of theleaf nodes 1706, 1708 can be derived from intermediate node 1706 withonly one exponentiation. The same is true for intermediate node 1704 andleaf nodes 1710 and 1712. Combining the calculations saves significantresource overhead. The conceptual tree is larger and has more levelswhen there are more keys to be recovered. As the tree grows larger, sodoes the significance of the resource savings.

A tree structure as described can also be utilized to derive manycompressed keys together. In this manner, the compressed keys can bederived at a lower cost than that required to derive each compressed keyseparately. In such an implementation, the output of the integergenerator 1440 is placed at the root of the tree structure and thevalues at the leaves correspond to the compressed keys.

CONCLUSION

The embodiments described above provide improvements over past methodsand systems for providing key sets having multiple keys to multipleconsumers. The implementations reduce to one the number of keysdistributed to a single consumer, which could be any practical number ofkeys, but is often times very high, such as one thousand keys or more.

In the context of a DVD player, it is desirable to distribute the sameencrypted content to each unique consumer. In addition, it is desirablethat each consumer's key set be included on the same disk. If the numberof consumers is very high, e.g., fifty thousand, then loading fiftythousand different key sets on a DVD disk in addition to an encryptedmovie can become prohibitively unwieldy if each of the key sets isitself very large. The described implementations allow distributing theencrypted content with, for example, fifty thousand single keys and asmall amount of public data. This arrangement is logistically feasible.

The described implementations also disclose a method for reducing thenumber of calculations dramatically, making the method even moreacceptable for practical use.

Although details of specific implementations and embodiments aredescribed above, such details are intended to satisfy statutorydisclosure obligations rather than to limit the scope of the followingclaims. Thus, the invention as defined by the claims is not limited tothe specific features described above. Rather, the invention is claimedin any of its forms or modifications that fall within the proper scopeof the appended claims, appropriately interpreted in accordance with thedoctrine of equivalents.

1. A method for providing a single database to multiple users so thateach user can only access a data subset of the database that is uniqueto the user, the method comprising: logically dividing the database intosegments; encrypting each segment of the database; distributing theencrypted database to multiple users; formulating a single key for eachuser, wherein each user can extract a set of data keys from the singlekey; and wherein each user can utilize the extracted set of data keys toaccess a unique data subset of the database to which the user haspermission to access.
 2. A method for decrypting a data subset of anencrypted database that is logically divided into multiple segments,each segment being encrypted with a unique segment key, the methodcomprising: extracting a key set from a single key, each key in the keyset being uniquely associated with one segment of the data subset of thedatabase; and decrypting each segment of the data subset with a segmentkey from the key set.
 3. The method as recited in claim 2, furthercomprising using an integer modulus to extract the key set.
 4. Themethod as recited in claim 2, further comprising utilizing a set ofprime numbers to extract the key set, there being one prime numberuniquely associated with each segment in the database.
 5. A method fordistributing a first data subset of a database to a first user and asecond data subset of a database to a second user, the first user beingexcluded from accessing the second data subset and the second user beingexcluded from accessing the first data subset, the method comprising:logically dividing the database into multiple segments, the first userbeing entitled to a plurality of segments that make up the first datasubset, the second user being entitled to a plurality of segments thatmake up the second data subset; encrypting each segment of the databaseto derive an encrypted database; deriving a first key from which thefirst user can derive a set of segment keys, each segment key beinguniquely associated with one segment in the first data subset; derivinga second key from which the second user can derive a set of segmentkeys, each segment key being uniquely associated with one segment in thesecond data subset; distributing the encrypted database and the firstkey to the first user; distributing the encrypted database and thesecond key to the second user; and wherein the first user can gainaccess to the first data subset from the first key but cannot access anysegment that is not included in the first data subset, and the seconduser can gain access to the second data subset from the second key but6. The method as recited in claim 5, further comprising creating anindex to the database segments, the index comprising a series ofordinals, each ordinal corresponding to one segment in the database. 7.The method as recited in claim 5, further comprising applying a fixeddeterministic function to each segment key prior to using the segmentkey to encrypt the segment associated with the segment key.
 8. Themethod as recited in claim 5, wherein: deriving a first key furthercomprises: determining a first complement prime set that includes theprime numbers in the prime set that are not associated with any segmentsin the first data subset; and raising the random value, modulo themodulus, to the power of the product of the first complement prime set;deriving the second key further comprises: determining a secondcomplement prime set that includes the prime number in the prime setthat are not associated with any segments in the second data subset; andraising the random value, modulo the modulus, to the power of theproduct of the second complement prime set.
 9. The method as recited inclaim 5, further comprising creating an index to the database segments,the index comprising a series of ordinals, each ordinal corresponding toone segment in the database.
 10. The method as recited in claim 5,further comprising applying a fixed deterministic function to eachsegment key prior to using the segment key to encrypt the segmentassociated with the segment key.